Buy or Renew
Buy or Renew
Cisco DNA Center is now Catalyst Center. New name, same great product. Learn more about Catalyst Center here.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2395
Views
11
Helpful
5
Replies

SDA Fusion Router Policy Enforcement

Go to solution
Mohamed Haleem
Level 1
Level 1

‎08-21-2020 04:49 PM

if we need to apply policy between users at fabric and data center servers and need to enforce this policy at fusion router or fusion switch so we will do inline tagging between border and fusion to make fusion learn source SGT and do static ip-to-sgt mapping at ISE and use SXP to transfer the servers SGT from ISE to fusion,so the question is the policy itself will be written at the DNAC or at ISE or we should write it manually at the fusion router/switch and if the fusion is firewall so what should be the case.

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Benjamin-A
Level 1
Level 1
In response to Mohamed Haleem

‎08-23-2020 03:31 AM

Yes that right.
1. Define SGTs and Policies on DNAC
2. Deploy, so ISE will get configured by DNAC
3. ISE will then inform the TrustSec Devices (Fusion/Border/Edges) about a policy change and they will download the new SGTs/Policies

If you want to use Static SGT Bindings for Subnets/IP Addresses in the background:
1. Define SGT/Policy on DNAC
2. Deploy
3. Configure static IP-SGT Mapping on ISE
4. TrustSec Devices will download the new SGT and your Devices configured for SXP will download the static IP-SGT Mappings


.:|:..:|:.Please rate helpful posts.:|:..:|:.

View solution in original post

5 Replies 5

Go to solution
Damien Miller
VIP Alumni
VIP Alumni

‎08-21-2020 05:40 PM

I do not recommend writing TrustSec SGACL policy manually on the fusion router or anywhere for that matter. If DNAC and ISE are integrated, write the policy in DNAC and it will be pushed to ISE. The fusion router will download the SGACLs from ISE where the TrustSec policy is held. 

Go to solution
Mohamed Haleem
Level 1
Level 1
In response to Damien Miller

‎08-22-2020 01:16 PM

Thanks Damien for your reply but the fusion is not part of the fabric so we should add the fusion to ISE to be able to download the policy from ISE is that right?

0 Helpful

Go to solution
Benjamin-A
Level 1
Level 1
In response to Mohamed Haleem

‎08-22-2020 02:51 PM - edited ‎08-23-2020 02:07 AM

Hi,

 

  1. add the Fusion Router/Switch as NAD in ISE and make sure to set the TrustSec Parameters (ID+Password)
  2. Configure the Device for TrustSec:

Helpful guide:

One option will be to just copy and paste the Fabric Switches AAA Config / CTS Config + one additionals Command in Enabled Mode to generate the PAC:

switch# cts credentials id <same ID as in ISE> password <key-1>

But I think I got every additional CTS config in here:

!--- Additional AAA/Radius Config ---!
aaa group server radius <your-network-radius-group>
 server name <radius-server1>
 ip radius source-interface <interface>
!
aaa authorization network <your-cts-list> group <your-network-radius-group>
!
cts authorization list <your-cts-list>
!
radius server <radius-server1>
 address ipv4 <ip> auth-port 1812 acct-port 1813
 timeout 4
 retransmit 3
 pac key <key-1>
!
!--- Generate PAC Key ---!
end
cts credentials id <same ID as in ISE> password <key-1>

 3. Configure the SXP Peering between Fusion and ISE for every VRF/VN so you will be ablte to make static IP-SGT Bindings

Config on Device (you also have to Configure ISE for that):

 

!--- SXP Peering with Cisco ISE ---!
cts sxp enable
cts sxp default password <password>
cts sxp connection peer <ise-psn-ip> [ source src-ipv4-addr ] password [ default | none ] mode local listener [ vrf vrf-name ]

 

4. Set up Inline Tagging between Border and Fusion

5. If your CTS Environment works enable CTS Enforcement:

 

!--- Enable the SGT Enforcement / will be enabled on every L3 Interface by default---!
cts role-based enforcement
cts role-based enforcement vlan-list <vlans>

 

 


.:|:..:|:.Please rate helpful posts.:|:..:|:.

Go to solution
Mohamed Haleem
Level 1
Level 1
In response to Benjamin-A

‎08-23-2020 02:38 AM

Many thanks Benjamin this is helpful for me and now we can write the policy itself at DNAC then DNAC push it to ISE then the fusion router will download the policy from ISE,so this work flow is right please confirm.

0 Helpful

Go to solution
Benjamin-A
Level 1
Level 1
In response to Mohamed Haleem

‎08-23-2020 03:31 AM

Yes that right.
1. Define SGTs and Policies on DNAC
2. Deploy, so ISE will get configured by DNAC
3. ISE will then inform the TrustSec Devices (Fusion/Border/Edges) about a policy change and they will download the new SGTs/Policies

If you want to use Static SGT Bindings for Subnets/IP Addresses in the background:
1. Define SGT/Policy on DNAC
2. Deploy
3. Configure static IP-SGT Mapping on ISE
4. TrustSec Devices will download the new SGT and your Devices configured for SXP will download the static IP-SGT Mappings


.:|:..:|:.Please rate helpful posts.:|:..:|:.
Customers Also Viewed These Support Documents